[CaliforniaKarl]

For Linux systems at least, IAP doesn’t deal with privilege tiering. Instead, OS Login handles mapping a user’s Google account to a local account. There is also a program that queries a user’s SSH key from OS Login, and passes it to sshd when asked.

OS Login defines two IAM roles, one for “Can I log in?” and one for “Can I sudo?”. Those are implemented on the system via PAM, so you can add whatever additional restrictions you’d like.

Fetching of user information via OS Login is implemented via a NSS module. POSIX attributes can be customized via the Google Directory API. And I believe Google Groups can be mapped to POSIX supplemental groups, but I’m not certain.